Differentiating malicious insiders from normal users has proven to be one of the most difficult security challenges facing the Federal Government as illustrated by high-profile insiders such as Bradley Manning, Edward Snowden and the latest, Harold Martin III.
Traditional approaches to this problem tend to focus primarily on technical indicators such as system audit logs, data loss prevention systems, firewalls etc. This information is no doubt valuable, however, one of the problems associated with relying on these data sets is separating the signal (rule-breaking behavior) from the noise (false positives). While these systems can provide important data, the information often lacks the context needed to become actionable.
Instead, MPG advocates a holistic, evidence-based approach that is founded upon historical reviews of past insider threat cases. These reviews typically reveal that opportunities to connect the dots were missed because indicators of wrongdoing were stuck in organizational stovepipes, thus viewed as isolated incidents.
For example, several organizational departments often hold key pieces of information that when viewed alone may appear benign. Counterintelligence may know an employee frequently engages in overseas travel, HR may know of performance issues, the SOC may be aware of suspicious downloads. Alone, these indicators may not be actionable, but when combined they indicate a potential increase in the level of risk associated with that employee.
To remedy these challenges, MindPoint Group is engaging clients with the development of a central repository where insider threat indicators from disparate data sets are identified, collected, fused, and analyzed. The bottom line is that integrating these disparate data sets helps provide the holistic view of employee behavior that is required to prevent, detect and mitigate insider threats.